In the month of September, we saw experts from Keen Security Lab remotely taking control of Tesla car that was being driven at the time of the hack. Later, the manufacturer came out with a patch against the vulnerability exploited by these researchers. However, in a new interesting development, researchers from Promon have managed to hack into the Tesla car using just an Android app. Precisely the hack involved locating the car, unlocking it, and then finally stealing it.
The research experts at Promon have exploited the flaws in the Android app that comes along with the car. It would be essential to mention here that every Tesla car comes with an app, either iOS or Android that allows the owners of the car to check battery level and charging status, locating the car, and flashing the lights to make it easy for the owner to locate it in the parking lot. The researchers at Promon, tricked the car owner into downloading a malicious app on the smartphone. Unless, a malicious app is not downloaded onto the smartphone of the owner, till then hack of Tesla is not possible. Thus, tricking the owner into downloading such app will form the pre-requisite for any hacker to hack into and steal the car.
In this experiment, the hackers tricked the Tesla owner into downloading the malicious app by simply offering a free burger as an incentive. An open and free Wi-Fi hotspot was created by the hackers in the proximity of a charging station for Tesla car. This was followed by an advertisement of the malicious app on the connected phones. The advertisement asked people to download the app and get a free burger as an incentive. Guess, What? This worked.
Once the malicious step was successfully installed on the smartphones of the target, the next step was to locate the OAuth token that Tesla companion app is given by the Tesla server when the user connects to the Tesla server with a username and password for the first time using the companion app. As per researchers, the token is stored in cleartext in a file in the sandbox folder of the app. For subsequent logins, the App directly takes the token from this file. Once the malicious app locates the OAuth token, it resets it. So, when the Tesla car owner attempts to connect to Tesla server using companion app, the app gives an error and asks to re-enter the username and password. Once, the user re-enters the username and password, the malicious app steals them.
After stealing the OAuth token and the login credentials, the hackers were left with complete access to the car. They could locate the car using companion app, unlock it, enable the keyless driving functionality, and run away with it. The researchers further explained that vulnerability doesn’t lie in Tesla but it’s a glitch in mobile apps that could be exploited by the hackers. The experiment once again highlights how dangerous it is to use third party apps.